dev  

Messages by Thread

• [I] SBOM Conformance External HTTP Requests Without Explicit Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM Conformance External HTTP Requests Without Explicit Timeout (tooling-trusted-releases) via GitHub
• [I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases) via GitHub
• [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
• [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • Re: [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • Re: [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • Re: [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
• [I] Binary Tool Downloaded Without Integrity Verification (CycloneDX CLI) (tooling-trusted-releases) via GitHub
• [I] OAuth Client Does Not Request Explicit Scopes (Principle of Least Privilege) (tooling-trusted-releases) via GitHub
• [I] Dynamic Field Assignment Without Explicit Allowlist in Policy Updates (tooling-trusted-releases) via GitHub
  • Re: [I] Dynamic Field Assignment Without Explicit Allowlist in Policy Updates (tooling-trusted-releases) via GitHub
  • Re: [I] Dynamic Field Assignment Without Explicit Allowlist in Policy Updates (tooling-trusted-releases) via GitHub
• [I] Missing Authorization Documentation for Distribution/SSH/Keys/Policy/Project Operations (tooling-trusted-releases) via GitHub
• [I] ATR JWTs Lack Explicit Token Type Identification (tooling-trusted-releases) via GitHub
  • Re: [I] ATR JWTs Lack Explicit Token Type Identification (tooling-trusted-releases) via GitHub
  • Re: [I] ATR JWTs Lack Explicit Token Type Identification (tooling-trusted-releases) via GitHub
  • Re: [I] ATR JWTs Lack Explicit Token Type Identification (tooling-trusted-releases) via GitHub
  • Re: [I] ATR JWTs Lack Explicit Token Type Identification (tooling-trusted-releases) via GitHub
• [I] Resource-Committee Validation Control Not Applied Across Storage Writers (tooling-trusted-releases) via GitHub
  • Re: [I] Resource-Committee Validation Control Not Applied Across Storage Writers (tooling-trusted-releases) via GitHub
  • Re: [I] Resource-Committee Validation Control Not Applied Across Storage Writers (tooling-trusted-releases) via GitHub
• [I] Admin Route Uses Insufficient Authorization Context for Storage Layer (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Route Uses Insufficient Authorization Context for Storage Layer (tooling-trusted-releases) via GitHub
• [I] Web-Based JWT Issuance Not Audit-Logged (tooling-trusted-releases) via GitHub
  • Re: [I] Web-Based JWT Issuance Not Audit-Logged (tooling-trusted-releases) via GitHub
• [I] Discuss: Session contents (tooling-trusted-releases) via GitHub
  • Re: [I] Discuss: Session contents (tooling-trusted-releases) via GitHub
  • Re: [I] Discuss: Session contents (tooling-trusted-releases) via GitHub
• [I] GPG detection (tooling-trusted-releases) via GitHub
• [I] Discuss how we handle private mailing list votes in the security model (tooling-trusted-releases) via GitHub
  • Re: [I] Discuss how we handle private mailing list votes in the security model (tooling-trusted-releases) via GitHub
• [PR] Safe paths implementation (tooling-trusted-releases) via GitHub
  • Re: [PR] Safe paths implementation (tooling-trusted-releases) via GitHub
  • [GH] Safe paths implementation (tooling-trusted-releases) via GitHub
  • [GH] Safe paths implementation (tooling-trusted-releases) via GitHub
  • Re: [PR] Safe paths implementation (tooling-trusted-releases) via GitHub
  • Re: [PR] Safe paths implementation (tooling-trusted-releases) via GitHub
• [I] Consider moving the PubSub code to ASFQuart (tooling-trusted-releases) via GitHub
  • Re: [I] Consider moving the PubSub code to ASFQuart (tooling-trusted-releases) via GitHub
• [I] No Session Termination After SSH Key Changes (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After SSH Key Changes (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After SSH Key Changes (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After SSH Key Changes (tooling-trusted-releases) via GitHub
• [I] Form Validation Error Messages Rendered as Unescaped HTML (tooling-trusted-releases) via GitHub
  • Re: [I] Form Validation Error Messages Rendered as Unescaped HTML (tooling-trusted-releases) via GitHub
  • Re: [I] Form Validation Error Messages Rendered as Unescaped HTML (tooling-trusted-releases) via GitHub
• [I] Disallowed File Detection Occurs After Storage, Not At Upload Time (tooling-trusted-releases) via GitHub
• [I] No Evidence of postMessage Origin Validation in Application (tooling-trusted-releases) via GitHub
  • Re: [I] No Evidence of postMessage Origin Validation in Application (tooling-trusted-releases) via GitHub
  • Re: [I] No Evidence of postMessage Origin Validation in Application (tooling-trusted-releases) via GitHub
• [I] API Distribution Models Missing Platform/Owner-Namespace Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Distribution Models Missing Platform/Owner-Namespace Validation (tooling-trusted-releases) via GitHub
• [I] Project Creation Race Condition Between Existence Check and Insert (tooling-trusted-releases) via GitHub
  • Re: [I] Project Creation Race Condition Between Existence Check and Insert (tooling-trusted-releases) via GitHub
• [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
  • Re: [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
  • Re: [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
• [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
• [I] Pre-Extraction Safety Checks Do Not Verify Total Uncompressed Size (tooling-trusted-releases) via GitHub
  • Re: [I] Pre-Extraction Safety Checks Do Not Verify Total Uncompressed Size (tooling-trusted-releases) via GitHub
• [I] Admin Blueprint post Decorator Bypasses LDAP Active Account Check (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Blueprint post Decorator Bypasses LDAP Active Account Check (tooling-trusted-releases) via GitHub
• [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
• [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
  • Re: [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
  • Re: [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
• [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
• [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
• [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
  • Re: [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
  • Re: [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
• [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
• [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
  • Re: [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
  • Re: [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
• [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
• [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
• [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
• [I] Form Hidden Field Validated Against Wrong Source (tooling-trusted-releases) via GitHub
  • Re: [I] Form Hidden Field Validated Against Wrong Source (tooling-trusted-releases) via GitHub
• [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
• [PR] Merging 952 and 992 (tooling-trusted-releases) via GitHub
  • Re: [PR] Merging 952 and 992 (tooling-trusted-releases) via GitHub
• [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
  • Re: [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
  • Re: [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
• [PR] Extract some of the validation for TP configuration into a shared helper (tooling-trusted-releases) via GitHub
  • Re: [PR] Extract some of the validation for TP configuration into a shared helper (tooling-trusted-releases) via GitHub
• [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • [GH] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • [GH] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
• [I] No Automatic Credential Revocation on Account Disable (tooling-trusted-releases) via GitHub
  • Re: [I] No Automatic Credential Revocation on Account Disable (tooling-trusted-releases) via GitHub
• [I] SSH Interface Lacks Rate Limiting for Write Operations (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Interface Lacks Rate Limiting for Write Operations (tooling-trusted-releases) via GitHub
• [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
• [I] Optional Safe-Type URL Parameters Bypass Validation (tooling-trusted-releases) via GitHub
  • Re: [I] Optional Safe-Type URL Parameters Bypass Validation (tooling-trusted-releases) via GitHub
• [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
• [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
  • Re: [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
  • Re: [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
• [I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases) via GitHub
• [I] Tar Archive Extraction Uses Explicitly Insecure Default Filter (tooling-trusted-releases) via GitHub
  • Re: [I] Tar Archive Extraction Uses Explicitly Insecure Default Filter (tooling-trusted-releases) via GitHub
• [I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases) via GitHub
  • Re: [I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases) via GitHub
• [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
• [I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases) via GitHub
  • Re: [I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases) via GitHub
• [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
  • Re: [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
  • Re: [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
  • Re: [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
• [I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases) via GitHub
  • Re: [I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases) via GitHub
• [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
  • Re: [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
  • Re: [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
  • Re: [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
• [I] Sequential Template Substitution Allows Variable Injection in Email Templates (tooling-trusted-releases) via GitHub
• [I] LDAP Filter Injection in Account Lookup Function (Multiple Files) (tooling-trusted-releases) via GitHub
  • Re: [I] LDAP Filter Injection in Account Lookup Function (Multiple Files) (tooling-trusted-releases) via GitHub
• [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
  • Re: [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
  • Re: [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
• [I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases) via GitHub
  • Re: [I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases) via GitHub
• [I] Missing URL Protocol Validation for Third-Party Distribution URLs Rendered in HTML (tooling-trusted-releases) via GitHub
  • Re: [I] Missing URL Protocol Validation for Third-Party Distribution URLs Rendered in HTML (tooling-trusted-releases) via GitHub
• [I] SSH Host Key Generated with RSA 2048-bit (~112 bits of security) (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Host Key Generated with RSA 2048-bit (~112 bits of security) (tooling-trusted-releases) via GitHub
• [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
  • Re: [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
  • Re: [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
• [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
• [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
• [I] Missing Centralized Documentation of Resource-Intensive Operations (tooling-trusted-releases) via GitHub
• [I] Archive Extraction Size Tracking Reset by Metadata Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Size Tracking Reset by Metadata Files (tooling-trusted-releases) via GitHub
• [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
• [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
• [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
  • Re: [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
  • Re: [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
  • Re: [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
• [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub
  • Re: [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub
  • Re: [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub

• Earlier messages
• Later messages